Home > Blogs > VMware Security & Compliance Blog

VMware Security Advisory VMSA-2018-0007

Today VMware has released the following new and updated security advisories:

VMSA-2018-0007

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMware Security Advisory VMSA-2018-0006

Today VMware has released the following new and updated security advisories:

VMSA-2018-0006 – vRealize Automation, vSphere Integrated Containers, and AirWatch Console updates address multiple security vulnerabilities

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0005

Today, VMware has released the following new security advisory:

VMSA-2018-0005 VMware Workstation, and Fusion updates resolve use-after-free and integer-overflow vulnerabilities

This documents the remediation of Critical and Important severity issues (CVE-2017-4949, and CVE-2017-4950).

Issues (a) CVE-2017-4949 is a use-after-free vulnerability in VMware NAT service which can be exploited when IPv6 mode is enabled. This issue is rated as critical and may allow a guest to execute code on the host.

Issue (b) CVE-2017-4950 is an integer-overflow vulnerability in VMware NAT service which can be exploited when IPv6 mode is enabled. This issue is rated as important and may lead to an out-of-bound read which can then be used to execute code on the host in conjunction with other issues.

IPv6 mode for VMNAT is not enabled by default. VMware Workstation 14.1.1, 12.5.9 and VMware Fusion 10.1.1, 8.5.10 fix these issues.

We would like to thank WenQunWang of Tencent’s Xuanwu LAB for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0003

Today, VMware has released the following new security advisory:

VMSA-2018-0003vRealize Operations for Horizon, vRealize Operations for Published Applications, Workstation, Horizon View Client and Tools updates resolve multiple security vulnerabilities

This documents the remediation of three Important severity issues (CVE-2017-4945, CVE-2017-4946, and CVE-2017-4948).

Issues (a) CVE-2017-4946 is a privilege escalation vulnerability that affects vRealize Operations for Horizon (V4H) and vRealize Operations for Published Applications (V4PA) agents. Successful exploitation of this issue may allow low privileged windows users to escalate their privileges to SYSTEM. Workaround for ‘vROPs plugin for Horizon’ and ‘vROPs for Published applications’ 6.4.0 and 6.5.0 versions are available. Please see VMSA-2018-0003 for more information

Issue (b) CVE-2017-4948 is an out-of-bounds read issue that occurs via Cortado ThinPrint. This issue affects Workstation and Horizon View Client. On Workstation, this issue in conjunction with other bugs may allow a guest to leak information from host or may allow for a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this issue in conjunction with other bugs may allow a View desktop to leak information from host or may allow for a Denial of Service on the Windows OS that runs the Horizon View Client. Workstation 14.1.0 and Horizon View Client for Windows 4.7.0 fix this issue.

Issue (c) CVE-2017-4945 is a guest access control vulnerability and affects Workstation and Fusion. Successful exploitation of this issue may allow program execution via Unity on locked Windows VMs.

We would like to thank Martin Lemay of GoSecure Inc., Yakun Zhang of McAfee, and Tudor Enache of the United Arab Emirates Computer Emergency Response Team (aeCERT) for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA-2018-0002 and VMSA-2018-0004

Update 01/10/18: VMSA-2018-0004 has been released detailing Hypervisor-Assisted Guest Mitigation fixes. An explanation of the different types of mitigations being provided by VMware can be found in KB52245. Please note that if you have applied the patches listed in VMSA-2018-0004 you do not need the patches listed in VMSA-2018-0002.

Update 01/04/18: OS vendors have begun issuing patches that address CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 for their operating systems. For these patches to be fully functional in a guest OS additional ESXi and vCenter Server updates will be required. These updates are being given the highest priority. Please sign up to the Security-Announce mailing list to be alerted when these updates are available.

Today VMware has released the following new security advisory:

VMSA-2018-0002 – VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.

This advisory documents remediation for known variants of the Bounds-Check Bypass (CVE-2017-5753) and Branch Target Injection (CVE-2017-5715) issues due to speculative execution disclosed today by Google Project Zero. These issues may result in information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host.

A third issue due to speculative execution, Rogue Data Cache Load (CVE-2017-5754), was disclosed along the other two issues. It does not affect ESXi, Workstation, and Fusion because ESXi does not run untrusted user mode code, and Workstation and Fusion rely on the protection that the underlying operating system provides.

The remediation as documented in VMSA-2018-0002, has been present in VMware Cloud on AWS since early December 2017.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.

VMSA-2018-0001

New VMware Security Advisory VMSA-2018-0001

On January 2nd 2018 VMware released the following new security advisory:

VMSA-2018-0001 – vSphere Data Protection (VDP) updates address multiple security issues.

This documents several critical severity issues affecting VDP.

Issue (a) is an authenication bypass vulnerability (CVE-2017-15548). A remote unauthenticated malicious user can potentially bypass application authentication and gain unauthorized root access to the affected systems.

Issue (b) is an arbitrary file upload vulnerability (CVE-2017-15549). A remote authenticated malicious user with low privileges could potentially upload arbitrary maliciously crafted files in any location on the server file system.

Issue (c) is a path traversal vulnerability (CVE-2017-15550). A remote authenticated malicious user with low privileges could access arbitrary files on the server file system in the context of the running vulnerable application.

These issues have been addressed in VDP 6.1.6 and 6.0.7.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0021

Today VMware has released the following new security advisory:

VMSA-2017-0021VMware ESXi, vCenter Server Appliance, Workstation and Fusion updates address multiple security vulnerabilities

This documents the remediation of four Important severity issues (CVE-2017-4933, CVE-2017-4940, CVE-2017-4941, and CVE-2017-4943). These issues affect VMware ESXi, VMware Workstation, VMware Fusion and VMware vCenter Server Appliance.

Issues (a) CVE-2017-4941 and (b) CVE-2017-4933 are stack overflow and heap overflow vulnerabilities respectively. Successful exploitation of these issues could result in remote code execution in a virtual machine via the authenticated VNC session. These issues affect VMware ESXi, Workstation, and Fusion. In order for exploitation to be possible in ESXi, VNC must be manually enabled in a virtual machine’s .vmx configuration file. In addition, ESXi must be configured to allow VNC traffic through the built-in firewall.

Issue (c) CVE-2017-4940 is a stored cross-site scripting vulnerability and affects the ESXi Host Client. An attacker can exploit this vulnerability by injecting JavaScript, which might get executed when other users access the Host Client. Please refer to VMSA-2017-0021 for ESXi 6.5, 6.0 and 5.5 patches.

Issue (d) CVE-2017-4943 is a privilege escalation vulnerability via the ‘showlog’ plugin in vCenter Server Appliance (vCSA). Successful exploitation of this issue could result in a low privileged user gaining root level privileges over the appliance base OS. This issue affects only vCSA 6.5.

We would like to thank Alain Homewood of Insomnia Security, Lukasz Plonka, Lilith Wyatt and another member of Cisco Talos for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA-2017-0020

Today VMware has released the following new security advisory:

VMSA-2017-0020: VMware AirWatch Console updates address Broken Access Control vulnerability.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to Airwatch Support.

New VMware Security Advisories VMSA-2017-0018 and VMSA-2017-0019

11/17/2017 – Updated VMSA-2017-0018 to add the DLL hijacking  issue.

Today, we released VMSA-2017-0018 and VMSA-2017-0019.

VMSA-2017-0018 – VMware Workstation, Fusion, and Horizon View Client updates resolve multiple security vulnerabilities

This documents critical, important and moderate severity vulnerabilities affecting VMware Horizon View Client for Windows 4.x, Workstation 12.x and Fusion 8.x.

Issue (a) is a heap-based buffer overflow vulnerability (CVE-2017-4934) which affects VMware Workstation and Fusion and may allow a guest to execute code on the host. This issue has been addressed in VMware Workstation 12.5.8 and Fusion 8.5.9.

Issues (b) and (c) are out-of-bounds read/write vulnerabilities (CVE-2017-4935, CVE-2017-4936 and CVE-2017-4937) in JPEG2000 parser in the TPView.dll. These issues exist due the use of vulnerable Cortado ThinPrint component and impact VMware Horizon View Client for Windows and Workstation. Exploitation is possible only if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. These issues have been addressed in VMware Workstation 12.5.8 and Horizon View Client for Windows 4.6.1.

Issue (d) is a NULL pointer dereference vulnerability (CVE-2017-4938) in guest RPC and affects VMware Workstation and Fusion. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs. This issue has been addressed in VMware Workstation 12.5.8 and Fusion 8.5.9.

Issue (e) is a DLL hijacking issue (CVE-2017-4939) that exists due to some DLL files loaded by the application improperly. This issue may allow an attacker to load a DLL file of the attacker’s choosing that could execute arbitrary code. VMware Workstation versions 12.x are affected. Workstation 12.5.8 fixes this issue.

We would like to thank Ke Liu of Tencent’s Xuanwu Lab, Skyer, Björn Ruytenberg, Jun Mao of Tencent PC Manager working with Trend Micro’s Zero Day Initiative and Anonymous working with Trend Micro’s Zero Day Initiative for reporting these issues to us.

VMSA-2017-0019 – NSX for vSphere update addresses NSX Edge Cross-Site Scripting (XSS) issue

This documents a moderate severity cross-site scripting issue (CVE-2017-4929) affecting NSX Edge (6.2.x, and 6.3.x). Successful exploitation of this issue may lead to information disclosure. This issue has been addressed in NSX Edge versions 6.2.9 and 6.3.5.

We would like to thank Jarad Kopf of Deltek and Issam Rabhi for independently reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0017

Today VMware has released the following new security advisory:

VMSA-2017-0017 – VMware vCenter Server update resolves LDAP DoS, SSRF and CLRF injection issues

This documents the remediation of two moderate severity issues, CVE-2017-4927 and CVE-2017-4928. These issues affect VMware vCenter Server.

Issue (a) CVE-2017-4927: VMware vCenter Server doesn’t correctly handle specially crafted LDAP network packets which may allow for remote DoS. This issue affects vCenter Server 6.5 and 6.0. vCenter Server 6.5 U1 and 6.0 U3c fix this issue.

Issue (b) CVE-2017-4928: SSRF and CRLF injection issues in vSphere web client. This issue affects vCenter Server 6.0 and 5.5. vCenter Server 6.0 U3c and 5.5 U3f fix this issue.

We would like to thank Honggang Ren of Fortinet’s FortiGuard Labs and ricterzheng @ Tencent Yunding Lab for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.